Welcome to the Office Hours with EAB podcast. You can join the conversation on social media using #EABOfficeHours. Follow the podcast on Spotify, Google Play, Apple Podcasts, SoundCloud and Stitcher or visit our podcast homepage for additional episodes.
In this episode, EAB’s Chief Information Security Officer Brian Markham talks about emerging information security challenges facing higher ed.
Brian covers everything from the initial technical difficulties posed by campus closures to “Zoombombing” to the latest phishing scams. He also discusses how campus IT professionals can communicate more effectively with faculty and staff about staying safe online.
“Managing information security in higher education is incredibly complicated, and that’s not talked about enough.”
“Technology was complex before COVID-19, and now it’s even that much more complex.”
“Right now, more than anything, when we’re feeling detached from our campus community and help is even further away, it is easier for these criminals to pick people off one by one.”
Next, explore these related resources
As a result of a fast transition to virtual learning due to COVID-19, IT leaders should rally campus stakeholders to assess and improve cybersecurity.
0:00:16.6 Matt Pellish: From EAB, I’m Matt Pellish, and this is Office Hours, our weekly podcast exploring all of the biggest challenges facing higher education. A few weeks ago as COVID-19 cases started to spread all over the country, colleges and universities decided pretty smartly: close up their campuses, send students and faculty out, they’re gonna learn and work in a completely remote environment. The campus leaders we’ve all talked to, they saw a great opportunity in the use of technology here, but there was another group that saw even greater opportunity, and that was cyber criminals.
0:00:51.9 MP: In today’s episode, I sat down with Brian Markham, this is EAB’s Chief Information Security Officer, to talk about all of the threats to campus technology, how to communicate effectively with your students, your faculty, and your staff, and even how to avoid new threats like Zoom bombing, which has only recently become a threat in the cyber security world. Thanks for listening, and welcome to Office Hours with EAB.
0:01:21.0 MP: Brian, welcome to Office Hours. Thanks so much for being with us this week.
0:01:25.6 Brian Markham: Thanks, Matt. It’s good to be here.
0:01:27.6 MP: You are our Chief Information Security Officer here at EAB. And for those who are little less familiar when it comes to information security or InfoSec, maybe you could describe a little bit of what that is and what you do.
0:01:41.3 BM: Yeah, I would be glad to. So my job as the Chief Information Security Officer at EAB is really to protect EAB and our partners’ digital assets, so the systems that we run, the networks that we work on, the data that our partners entrust in us. It’s really up to me and my team to work throughout the firm to work with our partners, the software developers, the system architects, our salespeople, to make sure that we’re doing everything we can to protect that data and to build systems that are resilient and secure along the way.
0:02:14.6 MP: And what do you do when it comes to the support of the EAB staff or when you’re thinking about training people, teaching them about information security? You’ve got people like me, I’ve got no tech background, I admit that right from the start, my background is all in higher education. Is it a challenge, something that you’ve been successful at when it comes to training people who are day-to-day working with our technology, but don’t really understand the background of it or what goes into keeping us safe and keeping our technology systems working?
0:02:42.1 BM: Yeah, this is one of the biggest challenges, I think, in our profession and the information security profession, and my perspective on it maybe is a little unique, but I believe it’s a good one. And I think that everyone, whether they have a tech background or not, everyone that we work with is pretty smart, and if you are able to explain something to them in a way that makes sense to them, they can learn. And that is the approach that I usually take. I try not to be too technical. I try to tell stories because people remember stories, it’s an effective way to learn anything. And I try and create materials and experiences that are memorable for them. So rather than just put up a bunch of slides and talk to them about different types of attacks and things that they may have read in the newspaper, I’ll tell a story about when I was working at a certain place, or even a story about a time that I got phished or I was a victim of an email scam. That’s usually very effective. So I think if you just treat people like they’re smart, create great content and find ways to engage them that are unexpected, I think that you can create a memorable learning experience for people.
0:03:56.3 MP: Speaking of previous experiences where you worked before, you do have an experiential background in higher ed security. Tell us a little bit about that, what were you doing before you came to EAB?
0:04:05.3 BM: Yeah, I’m really lucky to have worked with so many great people in my career that have taught me so much and made me into the person that I am today. So, I was able to spend about half of my career working in higher education, both at the University of Maryland, first in their office of information technology, and then in their security office, and then I spent six years most recently at the George Washington University working in risk and compliance, and then leading their security program for about four years. I love higher ed, I’m passionate about the mission of higher ed, I think it’s the greatest source of upward mobility in our society, so it’s a mission that’s really easy to get behind. And if you can do a great job in security in higher ed, you can make it easier for our students to learn, create more effective ways for faculty to be able to teach and allow everyone to just be part of the community in a way where they don’t have to worry about stalkers or people accessing their data or losing data, and I’ve seen all of that happen and know how disruptive it can be. So, I’ve really enjoyed my time working in higher ed, and like I said, a real easy mission to get behind.
0:05:15.1 MP: Do you feel people worry about things like losing their data or people stalking their email, things like that? I only say, maybe I’m really bad at this, I don’t. I’m not worried every day, maybe that’s because you are keeping me safe, but I don’t think the average person in day-to-day is worried about, “Hey, well, what’s happening to my data?” I’m curious, has that been the case? Or, am I exceptionally bad at this?
0:05:36.2 BM: No, you’re not exceptionally bad at it. I think most people don’t think about it, and I don’t necessarily think that’s a problem. A lot of people don’t think about their blood pressure on a day-to-day basis. If you don’t have a blood pressure problem, you probably don’t think about that, but when you go to the doctor, it’s your doctor’s job to take the measurements and let you know if you need to adjust your behavior, and I kind of see my role in a similar way. And that, yeah, you might not think about how you’re backing up your data, you might not think about your individual behaviors, but if I see something out there, if there’s something that I can offer from an advice perspective, or if there’s a piece of data that I come across that I think I can put to use to make things, to reduce risk and to make you safer, that’s my job to bring that up.
0:06:25.3 BM: I think so often information security professionals can think in a bubble and think that everyone thinks about this stuff, or everyone should think about this stuff, and that’s just not the way that the world works, people are busy and people have a lot going on, and the last thing that people think about is all of the different types of threats and attacks that are out there. So, maybe some people should be a little bit more concerned, but I’m okay just being there for them. I tell people all the time when we talk, when people apologize and say, “I’m so sorry I have to bring this to you,” or “I’m so sorry I clicked on that thing.” I say, “That’s okay. That’s literally why I’m here, that’s why I get paid, and I’m glad that you came to me.” It’s problematic if people don’t come to you, and if you create an environment where people think that they’re dumb because they clicked on something, or they’re negligent because they didn’t think about something, that’s not the kind of relationship that you wanna have with your stakeholders.
0:07:20.0 MP: And I have to say you’ve done a good job at this because just yesterday I sent you a phishing email, not you but our entire information security team and did catch one. So, I’m smart enough now that you’ve done the training, you’ve done the leg work to make us feel safe and us know what we’re looking for. But I wonder if we go back to when you were in the university setting, what were some of the threats you were concerned about then? How have they evolved or gotten more complex over time? And now, in the era of COVID-19, when everybody’s gone remote: students, faculty, staff, everybody. What do those concerns look like now?
0:07:54.7 BM: Yeah, I think one of the things that I would want university leaders to know is that managing information security in higher education is incredibly complicated. And I think that’s not talked about enough, because if you are managing information security at a company, it is very easy to implement policies and rules and everybody can have the same version of laptop and everyone runs on the corporate network, or you can make it so that you can’t access certain resources unless you’re on connected to the private network over VPN. You can’t do that in higher education, it doesn’t work the same way because just take my experience at GW, we had 10,000 employees that includes faculty and staff, 28,000 students, 9000 of which live on campus, the other they commute or they’re in part-time programs or graduate programs, how are you going to roll out a set of policies that could apply to all of those people? It is not possible, because when you think you’ve got a policy that would apply to 100% of people, you’re gonna find an edge case; you’re gonna find someone with a team of people doing research in Africa that can’t connect back to the campus reliably, so they won’t be able to take advantage of that controller, they might not be able to get the one-time password to use as a second factor.
0:09:18.1 BM: So, managing information security on campus is incredibly difficult already, and then when you take that environment and then break it up across the country and across the world like I think COVID-19 has forced us to do, you’ve got a whole another set of challenges because now you’re dealing with this incredibly diverse group of users: Researchers, faculty, students, staff, and now you’ve got to account for their individual approaches to using technology in their homes, which just adds a degree of complexity and variability that I think, I’m not gonna lie, I’m glad I don’t have to manage that right now, but it’s incredibly difficult. And obviously, there are some things that security teams and leaders can do to put the odds… We can talk about it if you want, but…
0:10:11.7 MP: Yeah, if you had say, three to five top things right now, that if I were an administrator or I were a leader at university then I’d say I need to put this in place, or these are my protective measures, my policy, the big three or five. Right now today in COVID-19, what might those be for you? What are the ones that come top of mind?
0:10:28.2 BM: I think just the ones that come to mind first is, everyone should be assessing risk. This is not a technology problem, it’s a risk problem ultimately, and technology is just one way that we experience risk. I think for leadership, they wanna have a good idea of what their risk profile is at any time, and understanding how the risk profile has changed as a result of going remote is incredibly important. So I would make sure that you are performing risk assessments and that you understand how the risk landscape has changed as a result of people working remote and offering classes remotely. So that’s the first thing that I would do. Because once you…
0:11:07.6 MP: But how has it changed? I’m just curious, there were risks that may fall on a full risk register profile that we’re looking at that may have been a little bit lower before everybody went remote. Are there any that jumps to the top of that list that people are looking at now and re-evaluating what was not a priority pre-COVID-19, pre-remote workforce?
0:11:24.2 BM: Yeah, that’s a really good question. I think it’s going to obviously depend on the institution, but I’ll give you an example. Not every institution buys their employees, their faculty or their staff laptops. Sometimes they buy desktops because they’re more cost effective. How do you bring a desktop home? A lot of people don’t do it.
0:11:45.0 MP: Unplug it and carry it? [chuckle]
0:11:47.8 BM: Yeah, I mean they could. Yeah, it’s possible, but it’s also possible that a lot of employees, faculty and staff, and obviously students as well, because students have always brought their own devices, they’re using their personal machines, and so now you maybe have the family PC being used to help people with their payroll and taxes, or they’re using the family PC to teach a course, or their home computer to take a course. And so, how do we account for the security of those networks that they’re operating on? How do we account for the software, the good and bad software that might be running on that computer? So, there’s just a lot of variability that comes into play when you send everyone back to their homes. When you are on campus as a security professional, you have access to a tremendous amount of data and telemetry about what’s going on, on the campus network.
0:12:46.2 BM: So if there is a computer on your campus network that has malware on it or is infected by something, you will see that traffic on your network and then you can take action, you can reach out to that user. When they are home, you might not see that, so that person would just go on operating as if everything is fine, and they might be infected with malware the entire time. So that could open you up to ransomware, it could open you up to different types of attacks that when you are in a more controlled environment our security team would be able to identify and take action on much easier.
0:13:22.5 MP: You mentioned a couple of those things: Malware, ransomware; I hear these terms all the time and know a little bit about them, can you give us a little bit of clarity around what you mean when you say malware, what you mean by ransomware? Things that people maybe don’t even know are on their machines and maybe they should.
0:13:37.3 BM: Yeah, so malware is just malicious software. You can get malware through a number of different actions or missteps, but just think about malware as a malicious software, and ransomware is a type of malicious software that essentially encrypts your data on your computer or renders it unable to be read unless you pay a ransom, and so usually what the attacker will say is, “We’ve encrypted all the files on your computer, and if you want the decryption key to be able to access your files again, you’ll pay us $2000 in Bitcoin, send it to this address and we’ll send you the decryption key. And what makes it so frustrating is that sometimes they won’t send you the decryption key, but most of the time they do because they want you to pay the ransom. And if word got out that people are paying the ransom and they’re not getting the key, then people stop paying the ransom.
0:14:36.5 BM: But sometimes it’s just scareware, they’re just trying to scare you into doing something, and in fact, they haven’t really encrypted the files at all. I hope that that answers your question about what malware and ransomware are. But, yeah, we worry about this because obviously, it’s disruptive to the user or community, and it can cost the institution a fair bit of money, especially if it’s done on the right system, or if you haven’t taken backups of that system, it could be very damaging. And I think that there’s some pretty well-documented examples for how ransomware has negatively impacted higher education.
0:15:14.5 MP: Do you have any from your time that just still kinda keep you up at night or do you wake up in a cold sweat remembering that malware experience at the university, or even at EAB, that just still to this day you were so impressed by what scammers did and the amount of work that went into overcoming it that still stand out for you?
0:15:34.1 BM: Yeah, I can tell a couple of stories. One of them is actually… It’s upsetting for me to just think about. A faculty member called me once and said, “My computer’s acting a little weird. It’s telling me I need to pay a ransom. What do I do?” And I asked her, “Do you have any backups of the computer? Have you used Time Machine?” “No, I didn’t back anything up.” And she ended up losing 45 years of research because she got hit with ransomware, and there wasn’t a whole lot that we could do for her at that point because she was operating on her home network. We actually had controls in place on campus to be able to detect ransomware and be able to stop it from encrypting the files, but we couldn’t do that for her home experience, so she ended up losing those files and I felt very bad for her ’cause there wasn’t anything I could do to help, and I go to work every day to prevent these things from happening, and so I felt pretty bad about that.
0:16:34.6 BM: But then, of course, you hear success stories where you had… Another example from when I was in higher ed, a malicious actor tried to get into our data center and use the phone outside the data center and called the help desk and said, “I’m actually working for Brian Markham, and he told me I could access the data center but I can’t reach him. Can you let me in?” And the guy on the other end of the phone said, “No, I know Brian, and if I can’t get a hold of him, he wouldn’t want me to let you in.” And so, he was able to shut down that attack right away. So, we see it all in higher education, and that was one of the best parts about working security in higher ed.
0:17:16.9 MP: And that was a story from university experience, not from EAB.
0:17:21.2 BM: Correct.
0:17:21.3 MP: From when you’re doing faculty.
0:17:23.5 BM: Yeah, correct.
0:17:24.3 MP: We hear a lot of those stories about faculty. One that you and I were talking about and conversing over email about was, say software complexity. Faculty are now trying to teach remote, they are provided some software. Maybe they’re using Zoom, maybe they’re using WebEx, maybe they’re using some other application that they’re a little less familiar with, they go out, they find something that they like better, download it themselves or try to run that, which adds to this massively complex software infrastructure that tech then has to support and keep safe. This seems to be something that’s recurring in a lot of stories, a lot of what we’re hearing from our partners, just general reactions of how you can help universities or what they should be looking for to prevent that from happening, or mitigate the damage or risk that comes into play when faculty are out there in a remote environment using whatever they think is best and not as bad for learning, but does add a hard time there for the InfoSec people? I’m curious of your thoughts and reactions in that scenario.
0:18:19.7 BM: Yeah, absolutely. I think the number one thing is you have to listen to your faculty, you have to engage with them to understand what their pain points are and what resources they ultimately need to be able to teach effectively online. Because if you don’t do that, if you just stand up a bunch of technology and say, “Here you go, have at it,” someone will ultimately have a gap and they will find a solution to that problem on their own, and sometimes the solution to that problem, unbeknownst to them, might open the door for some risk that you can’t account for or wouldn’t otherwise want to take on. So I think if you engage them in a process and listen to them and understand what their needs and requirements are, you can really control that experience better and provide overall a better experience, not only for them but for the students, because that gives them a chance to test things, you make sure everything works, everything’s documented, they can be trained on how the different components of the online education environment work for them.
0:19:27.8 BM: So I think that’s always what I tried to do when I was working with faculty is really, well, first of all, I always read their bios and tried to get to know what they did, what they cared about, what they were researching, and then use that to drive my conversations with them to learn a little bit more about how they see the world, and then try and find a common ground so that they could get their work done in a way that was effective for both them, but also for their students.
0:19:54.3 MP: Right. And we started going down the road of what were some of the large IT concerns, a list of three or five that you thought university should be considering today in light of COVID and beyond. We went down a little bit of a tangent, we’re talking about risk, which I think was important to address. I’d love to go and revisit that and go back and hear what are some of the others you might add to that list of priorities or areas of concern for IT professionals today?
0:20:16.9 BM: Yeah. Well, obviously, the way that people are working has changed, and I think that there are some specific business processes that carry a little bit more risk than most that I would probably be checking in on and asking some questions like for example, financial aid. Financial aid requires a fair bit of personally identifiable information in order to just process financial aid, and so I would look into how the data is moving around, how the professionals that do that work are doing it, and if the move to remote work has changed the risk profile for those operations, I would do the same around taxes and payroll as well, because a mistake here could lead to unauthorized access to personally identifiable data, and the last thing I think an institution wants at this time is to have unauthorized access to that type of data. So, I would be looking at those processes in particular, but I’m sure there’s other processes too that people would wanna look into.
0:21:18.6 BM: And finally, I think I would be paying a lot of attention to… If you’re using single sign on or federated identity, I would be paying attention to suspicious logins, just seeing where people are logging in from, establishing essentially a new baseline. Because I think when classes were in session on campus towards the beginning of the spring semester, your network was essentially your perimeter, and you could get a good baseline for what activity look like, and now all of a sudden it’s changed, the campus network is probably dead, and now that activity has dried up so you’ve gotta go somewhere else for it, and I think identity and logins is really the place to go. So I’d probably be paying attention to that because if you can detect a hijacked account or unauthorized access, you can take action on it, and obviously that’s the best you can do right now with people working remotely.
0:22:21.4 MP: During this time of crisis, emergency, everybody moving off campus, lots of complexity, it seems like the perfect time for a scam artist, a cyber-criminal to swoop in and take advantage of the unsuspecting students, faculty, staff, and others. And I just was talking to a provost this week and said, “Hey, we’re dealing with a cyber security incident where our students are getting emails that they think are from faculty, it’s from an email address they’re not familiar with, but since faculty are no longer on campus, they’re answering it, they’re clicking through.” I think that’s one example, one small example of what is probably taking place across the entire industry, and I’m curious if there are other ways that criminals are taking advantage of the fear or the uncertainty surrounding Coronavirus, that you’ve started to hear about, identify and work with some of our partners across higher education related to some of those challenges?
0:23:10.5 BM: Yeah, Matt. It seems like every day I’m hearing of something new that makes me stop and think, “Wow, I didn’t think about that before.” But these criminals are really good at what they do, and they are coming up with some really novel ways to attack students, faculty, and staff in higher ed environment. Students obviously, especially those that are getting ready to graduate, they’re looking for jobs, and so I’ve heard that there have been some fake job posts and emails going out about either full-time employment or internships that you click on the link, you provide some information to take advantage of those students and those desires to be employed. That sounds horrible, but that’s happening out there. And actually, let me pause for a moment because I think that the general playbook really hasn’t changed. It’s emails, it’s text, it’s phone calls, it’s just the flavor, the bait if you will, has changed. So yeah, you’re still seeing your gift card scams where someone says, “Hey, you got a minute, I need you to buy $500 of Walmart gift cards,” you’re still seeing that.
0:24:22.7 MP: Wait, I’m not supposed to click on that?
0:24:24.7 BM: Yeah, you’re not supposed to go to the store and buy the Walmart gift cards. Yeah. So you’re still seeing your run of-the mill phishing threats like that, but then you’re seeing more and more domains set up, buy some face masks here and you buy the face mask and they never show up. You’re seeing emails go out about, “Hey, donate money to this cause to help doctors and medical professionals,” and it’s not a legitimate call for money. So, I think the social engineering playbook really hasn’t changed, it’s still criminals taking advantage of human vulnerabilities and humans are… We are emotional and we are in a hurry and we don’t always think through things, and that doesn’t mean that we’re dumb, it just means that we don’t always make the right decisions on things, and these criminals take advantage of that to try and get us to do things that are in our best interest. And right now, more than anything, when we’re feeling more detached from our campus community, and help is even further away, it is easier for these criminals to pick people off one by one. So that’s why it’s more important than ever to stay in contact and still keep that feeling of community.
0:25:38.8 BM: If you’ve got an active social media presence, you use that. If you have a service desk, look at the data, see what people are calling in about, try and keep tabs on what your users are doing and what they need. Anything that you can do to try and keep that community together is going to be really important to making sure that they are telling you when there’s a problem, because I think it’s just more important now than ever that we keep the sense of community, even though we aren’t all on the same campus.
0:26:10.2 MP: Sure. Last week on the podcast, we had two of my friends, Michael and Caitlin talking about communication. In the midst of all of this, all of these scams, all the different communication channels from which students, faculty, staff are receiving university and college communications, is there a way that you as an information security officer think is better or the best way to communicate with the community in this type of environment and in this remote learning and organizational setting?
0:26:37.1 BM: Yeah, I think it’s important that your community understand where the reliable source of data is; where is the single version of the truth. If I wanted to create a Gmail account pretending to be a faculty member communicating with students, there’s a chance that some people are gonna fall for that.
0:26:55.1 MP: True.
0:26:57.6 BM: Because that’s really hard for someone to detect that that Gmail account does not in fact belong to their faculty member. However, if communications are going out through Blackboard or Canvas or through a central trustworthy platform, then a student might be more likely to say that email seems a little out of place compared with where I’m used to getting information, I’m gonna go ahead and ignore that.
0:27:25.2 MP: There’s something else that’s come up recently, maybe it’s a new term, maybe it existed before this, and I was just a little less aware of it. With everyone on Zoom and Zoom taking over a lot of the communications for classes, for meetings, for everything else, Zoom bombing has become a thing. What is it? How do you prevent it? How do you get around it?
0:27:42.5 BM: Yeah, so Zoom bombing is essentially people that you don’t want to join your Zoom meeting, joining your Zoom meeting, and this can really happen. Zoom has gotten a lot of press about various security vulnerabilities and security flaws, and I think to a certain degree, a lot of that criticism has been unfair because really this can happen with any communication platform if you don’t configure it properly and don’t put the right precautions in place. So yeah, we’ve heard some real horror stories about people’s dissertations being interrupted, people’s classes being interrupted, faculty members saying, “I’m done with this, I don’t wanna do this anymore.” So, what can people do? Well, first of all, Zoom has actually created a really great best practice reference for securing your virtual classroom, and you can find that in the Zoom blog, it’s from late March. But essentially, the three pieces of advice that I would give is require a password. If you’re gonna have a Zoom meeting, require a password. It’s usually just a six-digit pin so it is not overly burdensome for the user. I’d also implement a waiting room so that people can’t just join, they have to be admitted by the host, by the person running the room. And then I…
0:28:57.3 MP: I actually do that when running Zooms with my family just to make sure that I can keep some of them out.
0:29:02.5 BM: Yeah, that’s a great tactic.
0:29:04.4 MP: I’m kidding in case they listen to this podcast.
0:29:05.8 BM: Yeah. And also, I’d set the sharing privileges to host only, which means that only the host can share their screen and share content, and that would, I think, putting those three things in motion will definitely keep the Zoom bombers out of your meetings and make it so that you can have trusted communications with either your classes or with your colleagues.
0:29:30.0 MP: Another question for now, looking to the future, schools are not sure if it’s just a situation of a remote instruction now in the midst of the COVID-19 outbreak or if they should be preparing for full remote instruction in the fall. How are schools planning for the fall? Are there things they should be doing to set themselves up for success no matter what the scenario plays out for fall remote instruction?
0:29:53.4 BM: Yeah, I think we’re sitting here talking in late April, and if you start thinking about it, a lot of the fall semester is gonna start in late August, schools have a decent runway to start getting feedback from their faculty and their students, and start thinking about the technology that they wanna have in place in late August. People always say to me when I used to work in higher ed over the summer, they’d be like, “Oh, so you guys… Is it really slow?” And I’m like, “No, this is when we get our work done. This is when we can make big meaningful changes to our technology because we have time to test it, and if you get things wrong, it’s not gonna be a big negative impact on your user community.” Schools have runway now to get things right, to get that feedback and start… If there were mistakes that were made over the last six weeks, that’s okay. A lot of leaders had to run very quickly, make decisions very quickly with limited information, and honestly, I salute them because it’s very difficult to go completely online with a few days of notice, a week of notice.
0:31:01.8 BM: So, I think most institutions have done a really great job, but now you got a chance where you’ve got three months to play with where you can really get feedback, do some research, bring in some new service providers and really create a distinctive meaningful experience for online learning. And I think that if you really listen to your faculty and your students, try and fill some of those gaps and really do try and create that distinctive experience, and ultimately you wanna experience it secure and trustworthy too. I think that we could see schools really learn a lot and potentially in the future, offer really meaningful online options for learning that may not have been there before this pandemic.
0:31:43.5 MP: One more question for you, and this is switching gears a little bit, putting on a very different hat. Both of us were talking the other day about our role, not only as professionals here but as dads with our kids at home, when we’re all social distancing, we’re trying to educate our kids, we’re worried about their role and the things that they’re exposed to online, as they are also trying to learn in a remote environment. What are the things that you as a dad are thinking about? If you take both those hats, the dad, the Chief Information Security Officer, what are things that parents maybe should be aware of now when their kids are online that would be helpful or successful in mitigating any of those risks for the family?
0:32:19.6 BM: Yeah. It’s a really great question. I think really the number one thing I would say to parents out there is just, understand what your kids are doing online, just take an interest in it and understand what it is, because typically, most people that are not in information security don’t have a complete picture of all the bad stuff that’s out there. I don’t know if I’m at an advantage or a disadvantage because I have a little bit of insight into that. But for me, I just wanna know where they’re going. Nothing is perfect, but YouTube Kids tends to be a little bit more curated than YouTube in general. You can go down far less rabbit holes. YouTube can get pretty dark pretty quickly, but I think just understanding the apps that they’re using, the tools that they’re using, what information is required for them in order to use it. If your child is on an iPad, go into the privacy settings and see what access you’ve given some of these apps. Some apps are asking for microphone access when they do not need microphone access or video access.
0:33:39.9 BM: So these things don’t require a lot of technical expertise to do and do right, it really just requires you to really listen to your child, know what’s going on in those apps. A lot of these devices now have parental controls where you can actually set a time limit, but I think just being involved like, my kids are pretty young so I do the logins for them, so I know exactly what these platforms are doing and what they’re asking for, and that’s great because I get to experience it like they would experience it. But obviously, as kids get older and they’re doing more on their own, it can be tougher to walk in their shoes the same way you would if your child was young. I hope some of that’s been helpful, it’s a really tough problem to solve, and I’m not one of those dads that’s like, “Well, I’m gonna put something on my network that is able to block certain types of websites.” I don’t really wanna get into that with my kids, I didn’t have that when I was young, but I wanna trust them to make good decisions and I wanna trust but verify, I guess would be a good way to summarize it.
0:34:50.1 MP: We’re in a time now where everything is very complex. Technology was complex before COVID-19, and now it’s just even that much more complex or difficult for us to manage the unique environment and the uncertain times ahead. But I appreciate your time today, Brian. Thank you so much for joining us and sharing some of your insight related to security and technology, your role and the role universities can play and the things they should be thinking about. Appreciate it very much.
0:35:13.4 BM: Thank you, Matt.
0:35:21.8 MP: Thanks again for listening. Join me again next week when I welcome back two of my old friends, David Attis and Carla Hickman who are gonna give us some updates about the decisions that campus leaders have been making, as well as what scenario planning looks like for the fall of 2020. From EAB and Office Hours, I’m Matt Pellish. [music]